Merge tag 'selinux-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore: "We've got a few SELinux patches for the v5.2 merge window, the highlights are below: - Add LSM hooks, and the SELinux implementation, for proper labeling of kernfs. While we are only including the SELinux implementation here, the rest of the LSM folks have given the hooks a thumbs-up. - Update the SELinux mdp (Make Dummy Policy) script to actually work on a modern system. - Disallow userspace to change the LSM credentials via /proc/self/attr when the task's credentials are already overridden. The change was made in procfs because all the LSM folks agreed this was the Right Thing To Do and duplicating it across each LSM was going to be annoying" * tag 'selinux-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: proc: prevent changes to overridden credentials selinux: Check address length before reading address family kernfs: fix xattr name handling in LSM helpers MAINTAINERS: update SELinux file patterns selinux: avoid uninitialized variable warning selinux: remove useless assignments LSM: lsm_hooks.h - fix missing colon in docstring selinux: Make selinux_kernfs_init_security static kernfs: initialize security of newly created nodes selinux: implement the kernfs_init_security hook LSM: add new hook for kernfs node initialization kernfs: use simple_xattrs for security attributes selinux: try security xattr after genfs for kernfs filesystems kernfs: do not alloc iattrs in kernfs_xattr_get kernfs: clean up struct kernfs_iattrs scripts/selinux: fix build selinux: use kernel linux/socket.h for genheaders and mdp scripts/selinux: modernize mdp
author: Linus Torvalds <torvalds@linux-foundation.org> 2019-05-07 21:48:09 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2019-05-07 21:48:09 -0400
commit: f72dae20891d7bcc43e9263ab206960b6ae5209f (patch)
tree: 59a5b8c026adad15855d3824d1a7014468033274 /scripts
parent: 498e8631f27ed649bd3e31998a00b2b9b288cf3a (diff)
parent: 35a196bef449b5824033865b963ed9a43fb8c730 (diff)
3 files changed, 195 insertions, 64 deletions
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..2dccf141241d 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
+set -e
 if [ `id -u` -ne 0 ]; then
        echo "$0: must be root to install the selinux policy"
        exit 1
 fi
 SF=`which setfiles`
 if [ $? -eq 1 ]; then
-        if [ -f /sbin/setfiles ]; then
+        echo "Could not find setfiles"
-                SF="/usr/setfiles"
+        echo "Do you have policycoreutils installed?"
-        else
+        exit 1
-                echo "no selinux tools installed: setfiles"
-                exit 1
-        fi
 fi
-cd mdp
 CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+        echo "Could not find checkpolicy"
+        echo "Do you have checkpolicy installed?"
+        exit 1
+fi
 VERS=`$CP -V | awk '{print $1}'`
-./mdp policy.conf file_contexts
+ENABLED=`which selinuxenabled`
-$CP -o policy.$VERS policy.conf
+if [ $? -eq 1 ]; then
+        echo "Could not find selinuxenabled"
+        echo "Do you have libselinux-utils installed?"
+        exit 1
+fi
+if selinuxenabled; then
+    echo "SELinux is already enabled"
+    echo "This prevents safely relabeling all files."
+    echo "Boot with selinux=0 on the kernel command-line or"
+    echo "SELINUX=disabled in /etc/selinux/config."
+    exit 1
+fi
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 if [ ! -d /etc/selinux ]; then
        mkdir -p /etc/selinux
 fi
-if [ ! -f /etc/selinux/config ]; then
+if [ -f /etc/selinux/config ]; then
-        cat > /etc/selinux/config << EOF
+    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
-SELINUX=enforcing
+    mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
 SELINUXTYPE=dummy
 EOF
-else
-        TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
-        if [ "eq$TYPE" != "eqdummy" ]; then
-                selinuxenabled
-                if [ $? -eq 0 ]; then
-                        echo "SELinux already enabled with a non-dummy policy."
-                        echo "Exiting.  Please install policy by hand if that"
-                        echo "is what you REALLY want."
-                        exit 1
-                fi
-                mv /etc/selinux/config /etc/selinux/config.mdpbak
-                grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
-                echo "SELINUXTYPE=dummy" >> /etc/selinux/config
-        fi
-fi
 cd /etc/selinux/dummy/contexts/files
-$SF file_contexts /
+$SF -F file_contexts /
-mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
+mounts=`cat /proc/$$/mounts | \
-$SF file_contexts $mounts
+        egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+        awk '{ print $2 '}`
+$SF -F file_contexts $mounts
+echo "-F" > /.autorelabel
-dodev=`cat /proc/$$/mounts | grep "/dev "`
-if [ "eq$dodev" != "eq" ]; then
-        mount --move /dev /mnt
-        $SF file_contexts /dev
-        mount --move /mnt /dev
-fi
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
index e9c92db7e2a3..8a1269a9d0ba 100644
--- a/scripts/selinux/mdp/Makefile
+++ b/scripts/selinux/mdp/Makefile
@@ -2,7 +2,7 @@
 hostprogs-y     := mdp
 HOST_EXTRACFLAGS += \
        -I$(srctree)/include/uapi -I$(srctree)/include \
-        -I$(srctree)/security/selinux/include
+        -I$(srctree)/security/selinux/include -I$(objtree)/include
 always          := $(hostprogs-y)
 clean-files     := policy.* file_contexts
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 6d51b74bc679..18fd6143888b 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
+#include <linux/kconfig.h>
 static void usage(char *name)
 {
@@ -94,10 +95,31 @@ int main(int argc, char *argv[])
        }
        fprintf(fout, "\n");
-        /* NOW PRINT OUT MLS STUFF */
+        /* print out mls declarations and constraints */
        if (mls) {
-                printf("MLS not yet implemented\n");
+                fprintf(fout, "sensitivity s0;\n");
-                exit(1);
+                fprintf(fout, "sensitivity s1;\n");
+                fprintf(fout, "dominance { s0 s1 }\n");
+                fprintf(fout, "category c0;\n");
+                fprintf(fout, "category c1;\n");
+                fprintf(fout, "level s0:c0.c1;\n");
+                fprintf(fout, "level s1:c0.c1;\n");
+#define SYSTEMLOW "s0"
+#define SYSTEMHIGH "s1:c0.c1"
+                for (i = 0; secclass_map[i].name; i++) {
+                        struct security_class_mapping *map = &secclass_map[i];
+                        fprintf(fout, "mlsconstrain %s {\n", map->name);
+                        for (j = 0; map->perms[j]; j++)
+                                fprintf(fout, "\t%s\n", map->perms[j]);
+                        /*
+                         * This requires all subjects and objects to be
+                         * single-level (l2 eq h2), and that the subject
+                         * level dominate the object level (h1 dom h2)
+                         * in order to have any permissions to it.
+                         */
+                        fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
+                }
        }
        /* types, roles, and allows */
@@ -107,34 +129,127 @@ int main(int argc, char *argv[])
        for (i = 0; secclass_map[i].name; i++)
                fprintf(fout, "allow base_t base_t:%s *;\n",
                        secclass_map[i].name);
-        fprintf(fout, "user user_u roles { base_r };\n");
+        fprintf(fout, "user user_u roles { base_r }");
-        fprintf(fout, "\n");
+        if (mls)
+                fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
+                        SYSTEMLOW, SYSTEMHIGH);
+        fprintf(fout, ";\n");
+#define SUBJUSERROLETYPE "user_u:base_r:base_t"
+#define OBJUSERROLETYPE "user_u:object_r:base_t"
        /* default sids */
        for (i = 1; i < initial_sid_to_string_len; i++)
-                fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+                fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
+                        initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
        fprintf(fout, "\n");
-        fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
+#define FS_USE(behavior, fstype)                            \
-        fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
-        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
+                behavior, fstype, mls ? ":" SYSTEMLOW : "")
-        fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
+        /*
-        fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+         * Filesystems whose inode labels can be fetched via getxattr.
-        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+         */
-        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+#ifdef CONFIG_EXT2_FS_SECURITY
+        FS_USE("xattr", "ext2");
+#endif
+#ifdef CONFIG_EXT4_FS_SECURITY
+#ifdef CONFIG_EXT4_USE_FOR_EXT2
+        FS_USE("xattr", "ext2");
+#endif
+        FS_USE("xattr", "ext3");
+        FS_USE("xattr", "ext4");
+#endif
+#ifdef CONFIG_JFS_SECURITY
+        FS_USE("xattr", "jfs");
+#endif
+#ifdef CONFIG_REISERFS_FS_SECURITY
+        FS_USE("xattr", "reiserfs");
+#endif
+#ifdef CONFIG_JFFS2_FS_SECURITY
+        FS_USE("xattr", "jffs2");
+#endif
+#ifdef CONFIG_XFS_FS
+        FS_USE("xattr", "xfs");
+#endif
+#ifdef CONFIG_GFS2_FS
+        FS_USE("xattr", "gfs2");
+#endif
+#ifdef CONFIG_BTRFS_FS
+        FS_USE("xattr", "btrfs");
+#endif
+#ifdef CONFIG_F2FS_FS_SECURITY
+        FS_USE("xattr", "f2fs");
+#endif
+#ifdef CONFIG_OCFS2_FS
+        FS_USE("xattr", "ocsfs2");
+#endif
+#ifdef CONFIG_OVERLAY_FS
+        FS_USE("xattr", "overlay");
+#endif
+#ifdef CONFIG_SQUASHFS_XATTR
+        FS_USE("xattr", "squashfs");
+#endif
+        /*
+         * Filesystems whose inodes are labeled from allocating task.
+         */
+        FS_USE("task", "pipefs");
+        FS_USE("task", "sockfs");
-        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
+        /*
-        fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
+         * Filesystems whose inode labels are computed from both
-        fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+         * the allocating task and the superblock label.
+         */
+#ifdef CONFIG_UNIX98_PTYS
+        FS_USE("trans", "devpts");
+#endif
+#ifdef CONFIG_HUGETLBFS
+        FS_USE("trans", "hugetlbfs");
+#endif
+#ifdef CONFIG_TMPFS
+        FS_USE("trans", "tmpfs");
+#endif
+#ifdef CONFIG_DEVTMPFS
+        FS_USE("trans", "devtmpfs");
+#endif
+#ifdef CONFIG_POSIX_MQUEUE
+        FS_USE("trans", "mqueue");
+#endif
-        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
+#define GENFSCON(fstype, prefix)                             \
-        fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+        fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
-        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
+                fstype, prefix, mls ? ":" SYSTEMLOW : "")
-        fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-        fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+        /*
+         * Filesystems whose inodes are labeled from path prefix match
+         * relative to the filesystem root.  Depending on the filesystem,
+         * only a single label for all inodes may be supported.  Here
+         * we list the filesystem types for which per-file labeling is
+         * supported using genfscon; any other filesystem type can also
+         * be added by only with a single entry for all of its inodes.
+         */
+#ifdef CONFIG_PROC_FS
+        GENFSCON("proc", "/");
+#endif
+#ifdef CONFIG_SECURITY_SELINUX
+        GENFSCON("selinuxfs", "/");
+#endif
+#ifdef CONFIG_SYSFS
+        GENFSCON("sysfs", "/");
+#endif
+#ifdef CONFIG_DEBUG_FS
+        GENFSCON("debugfs", "/");
+#endif
+#ifdef CONFIG_TRACING
+        GENFSCON("tracefs", "/");
+#endif
+#ifdef CONFIG_PSTORE
+        GENFSCON("pstore", "/");
+#endif
+        GENFSCON("cgroup", "/");
+        GENFSCON("cgroup2", "/");
        fclose(fout);
@@ -143,8 +258,8 @@ int main(int argc, char *argv[])
                printf("Wrote policy, but cannot open %s for writing\n", ctxout);
                usage(argv[0]);
        }
-        fprintf(fout, "/ user_u:base_r:base_t\n");
+        fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
-        fprintf(fout, "/.* user_u:base_r:base_t\n");
+        fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
        fclose(fout);
        return 0;
author	Linus Torvalds <torvalds@linux-foundation.org>	2019-05-07 21:48:09 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-05-07 21:48:09 -0400
commit	f72dae20891d7bcc43e9263ab206960b6ae5209f (patch)
tree	59a5b8c026adad15855d3824d1a7014468033274 /scripts
parent	498e8631f27ed649bd3e31998a00b2b9b288cf3a (diff)
parent	35a196bef449b5824033865b963ed9a43fb8c730 (diff)

diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh index 0b86c47baf7d..2dccf141241d 100755 --- a/scripts/selinux/install_policy.sh +++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
1	#!/bin/sh	1	#!/bin/sh
2	# SPDX-License-Identifier: GPL-2.0	2	# SPDX-License-Identifier: GPL-2.0
		3	set -e
3	if [ `id -u` -ne 0 ]; then	4	if [ `id -u` -ne 0 ]; then
4	echo "$0: must be root to install the selinux policy"	5	echo "$0: must be root to install the selinux policy"
5	exit 1	6	exit 1
6	fi	7	fi
		8
7	SF=`which setfiles`	9	SF=`which setfiles`
8	if [ $? -eq 1 ]; then	10	if [ $? -eq 1 ]; then
9	if [ -f /sbin/setfiles ]; then	11	echo "Could not find setfiles"
10	SF="/usr/setfiles"	12	echo "Do you have policycoreutils installed?"
11	else	13	exit 1
12	echo "no selinux tools installed: setfiles"
13	exit 1
14	fi
15	fi	14	fi
16		15
17	cd mdp
18
19	CP=`which checkpolicy`	16	CP=`which checkpolicy`
		17	if [ $? -eq 1 ]; then
		18	echo "Could not find checkpolicy"
		19	echo "Do you have checkpolicy installed?"
		20	exit 1
		21	fi
20	VERS=`$CP -V \| awk '{print $1}'`	22	VERS=`$CP -V \| awk '{print $1}'`
21		23
22	./mdp policy.conf file_contexts	24	ENABLED=`which selinuxenabled`
23	$CP -o policy.$VERS policy.conf	25	if [ $? -eq 1 ]; then
		26	echo "Could not find selinuxenabled"
		27	echo "Do you have libselinux-utils installed?"
		28	exit 1
		29	fi
		30
		31	if selinuxenabled; then
		32	echo "SELinux is already enabled"
		33	echo "This prevents safely relabeling all files."
		34	echo "Boot with selinux=0 on the kernel command-line or"
		35	echo "SELINUX=disabled in /etc/selinux/config."
		36	exit 1
		37	fi
		38
		39	cd mdp
		40	./mdp -m policy.conf file_contexts
		41	$CP -U allow -M -o policy.$VERS policy.conf
24		42
25	mkdir -p /etc/selinux/dummy/policy	43	mkdir -p /etc/selinux/dummy/policy
26	mkdir -p /etc/selinux/dummy/contexts/files	44	mkdir -p /etc/selinux/dummy/contexts/files
27		45
		46	echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
		47	echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
		48	echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
		49	cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
		50	client * user_u:base_r:base_t:s0
		51	property * user_u:object_r:base_t:s0
		52	extension * user_u:object_r:base_t:s0
		53	selection * user_u:object_r:base_t:s0
		54	event * user_u:object_r:base_t:s0
		55	EOF
		56	touch /etc/selinux/dummy/contexts/virtual_domain_context
		57	touch /etc/selinux/dummy/contexts/virtual_image_context
		58
28	cp file_contexts /etc/selinux/dummy/contexts/files	59	cp file_contexts /etc/selinux/dummy/contexts/files
29	cp dbus_contexts /etc/selinux/dummy/contexts	60	cp dbus_contexts /etc/selinux/dummy/contexts
30	cp policy.$VERS /etc/selinux/dummy/policy	61	cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
33	if [ ! -d /etc/selinux ]; then	64	if [ ! -d /etc/selinux ]; then
34	mkdir -p /etc/selinux	65	mkdir -p /etc/selinux
35	fi	66	fi
36	if [ ! -f /etc/selinux/config ]; then	67	if [ -f /etc/selinux/config ]; then
37	cat > /etc/selinux/config << EOF	68	echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
38	SELINUX=enforcing	69	mv /etc/selinux/config /etc/selinux/config.bak
		70	fi
		71	echo "Creating new /etc/selinux/config for dummy policy."
		72	cat > /etc/selinux/config << EOF
		73	SELINUX=permissive
39	SELINUXTYPE=dummy	74	SELINUXTYPE=dummy
40	EOF	75	EOF
41	else
42	TYPE=`cat /etc/selinux/config \| grep "^SELINUXTYPE" \| tail -1 \| awk -F= '{ print $2 '}`
43	if [ "eq$TYPE" != "eqdummy" ]; then
44	selinuxenabled
45	if [ $? -eq 0 ]; then
46	echo "SELinux already enabled with a non-dummy policy."
47	echo "Exiting. Please install policy by hand if that"
48	echo "is what you REALLY want."
49	exit 1
50	fi
51	mv /etc/selinux/config /etc/selinux/config.mdpbak
52	grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
53	echo "SELINUXTYPE=dummy" >> /etc/selinux/config
54	fi
55	fi
56		76
57	cd /etc/selinux/dummy/contexts/files	77	cd /etc/selinux/dummy/contexts/files
58	$SF file_contexts /	78	$SF -F file_contexts /
59		79
60	mounts=`cat /proc/$$/mounts \| egrep "ext2\|ext3\|xfs\|jfs\|ext4\|ext4dev\|gfs2" \| awk '{ print $2 '}`	80	mounts=`cat /proc/$$/mounts \| \
61	$SF file_contexts $mounts	81	egrep "ext[234]\|jfs\|xfs\|reiserfs\|jffs2\|gfs2\|btrfs\|f2fs\|ocfs2" \| \
		82	awk '{ print $2 '}`
		83	$SF -F file_contexts $mounts
62		84
63		85	echo "-F" > /.autorelabel
64	dodev=`cat /proc/$$/mounts \| grep "/dev "`
65	if [ "eq$dodev" != "eq" ]; then
66	mount --move /dev /mnt
67	$SF file_contexts /dev
68	mount --move /mnt /dev
69	fi


diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile index e9c92db7e2a3..8a1269a9d0ba 100644 --- a/scripts/selinux/mdp/Makefile +++ b/scripts/selinux/mdp/Makefile
@@ -2,7 +2,7 @@
2	hostprogs-y := mdp	2	hostprogs-y := mdp
3	HOST_EXTRACFLAGS += \	3	HOST_EXTRACFLAGS += \
4	-I$(srctree)/include/uapi -I$(srctree)/include \	4	-I$(srctree)/include/uapi -I$(srctree)/include \
5	-I$(srctree)/security/selinux/include	5	-I$(srctree)/security/selinux/include -I$(objtree)/include
6		6
7	always := $(hostprogs-y)	7	always := $(hostprogs-y)
8	clean-files := policy.* file_contexts	8	clean-files := policy.* file_contexts


diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 6d51b74bc679..18fd6143888b 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c
@@ -32,6 +32,7 @@
32	#include <stdlib.h>	32	#include <stdlib.h>
33	#include <unistd.h>	33	#include <unistd.h>
34	#include <string.h>	34	#include <string.h>
		35	#include <linux/kconfig.h>
35		36
36	static void usage(char *name)	37	static void usage(char *name)
37	{	38	{
@@ -94,10 +95,31 @@ int main(int argc, char *argv[])
94	}	95	}
95	fprintf(fout, "\n");	96	fprintf(fout, "\n");
96		97
97	/* NOW PRINT OUT MLS STUFF */	98	/* print out mls declarations and constraints */
98	if (mls) {	99	if (mls) {
99	printf("MLS not yet implemented\n");	100	fprintf(fout, "sensitivity s0;\n");
100	exit(1);	101	fprintf(fout, "sensitivity s1;\n");
		102	fprintf(fout, "dominance { s0 s1 }\n");
		103	fprintf(fout, "category c0;\n");
		104	fprintf(fout, "category c1;\n");
		105	fprintf(fout, "level s0:c0.c1;\n");
		106	fprintf(fout, "level s1:c0.c1;\n");
		107	#define SYSTEMLOW "s0"
		108	#define SYSTEMHIGH "s1:c0.c1"
		109	for (i = 0; secclass_map[i].name; i++) {
		110	struct security_class_mapping *map = &secclass_map[i];
		111
		112	fprintf(fout, "mlsconstrain %s {\n", map->name);
		113	for (j = 0; map->perms[j]; j++)
		114	fprintf(fout, "\t%s\n", map->perms[j]);
		115	/*
		116	* This requires all subjects and objects to be
		117	* single-level (l2 eq h2), and that the subject
		118	* level dominate the object level (h1 dom h2)
		119	* in order to have any permissions to it.
		120	*/
		121	fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
		122	}
101	}	123	}
102		124
103	/* types, roles, and allows */	125	/* types, roles, and allows */
@@ -107,34 +129,127 @@ int main(int argc, char *argv[])
107	for (i = 0; secclass_map[i].name; i++)	129	for (i = 0; secclass_map[i].name; i++)
108	fprintf(fout, "allow base_t base_t:%s *;\n",	130	fprintf(fout, "allow base_t base_t:%s *;\n",
109	secclass_map[i].name);	131	secclass_map[i].name);
110	fprintf(fout, "user user_u roles { base_r };\n");	132	fprintf(fout, "user user_u roles { base_r }");
111	fprintf(fout, "\n");	133	if (mls)
		134	fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
		135	SYSTEMLOW, SYSTEMHIGH);
		136	fprintf(fout, ";\n");
		137
		138	#define SUBJUSERROLETYPE "user_u:base_r:base_t"
		139	#define OBJUSERROLETYPE "user_u:object_r:base_t"
112		140
113	/* default sids */	141	/* default sids */
114	for (i = 1; i < initial_sid_to_string_len; i++)	142	for (i = 1; i < initial_sid_to_string_len; i++)
115	fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);	143	fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
		144	initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
116	fprintf(fout, "\n");	145	fprintf(fout, "\n");
117		146
118	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");	147	#define FS_USE(behavior, fstype) \
119	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");	148	fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
120	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");	149	behavior, fstype, mls ? ":" SYSTEMLOW : "")
121	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");	150
122	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");	151	/*
123	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");	152	* Filesystems whose inode labels can be fetched via getxattr.
124	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");	153	*/
125	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");	154	#ifdef CONFIG_EXT2_FS_SECURITY
		155	FS_USE("xattr", "ext2");
		156	#endif
		157	#ifdef CONFIG_EXT4_FS_SECURITY
		158	#ifdef CONFIG_EXT4_USE_FOR_EXT2
		159	FS_USE("xattr", "ext2");
		160	#endif
		161	FS_USE("xattr", "ext3");
		162	FS_USE("xattr", "ext4");
		163	#endif
		164	#ifdef CONFIG_JFS_SECURITY
		165	FS_USE("xattr", "jfs");
		166	#endif
		167	#ifdef CONFIG_REISERFS_FS_SECURITY
		168	FS_USE("xattr", "reiserfs");
		169	#endif
		170	#ifdef CONFIG_JFFS2_FS_SECURITY
		171	FS_USE("xattr", "jffs2");
		172	#endif
		173	#ifdef CONFIG_XFS_FS
		174	FS_USE("xattr", "xfs");
		175	#endif
		176	#ifdef CONFIG_GFS2_FS
		177	FS_USE("xattr", "gfs2");
		178	#endif
		179	#ifdef CONFIG_BTRFS_FS
		180	FS_USE("xattr", "btrfs");
		181	#endif
		182	#ifdef CONFIG_F2FS_FS_SECURITY
		183	FS_USE("xattr", "f2fs");
		184	#endif
		185	#ifdef CONFIG_OCFS2_FS
		186	FS_USE("xattr", "ocsfs2");
		187	#endif
		188	#ifdef CONFIG_OVERLAY_FS
		189	FS_USE("xattr", "overlay");
		190	#endif
		191	#ifdef CONFIG_SQUASHFS_XATTR
		192	FS_USE("xattr", "squashfs");
		193	#endif
		194
		195	/*
		196	* Filesystems whose inodes are labeled from allocating task.
		197	*/
		198	FS_USE("task", "pipefs");
		199	FS_USE("task", "sockfs");
126		200
127	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");	201	/*
128	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");	202	* Filesystems whose inode labels are computed from both
129	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");	203	* the allocating task and the superblock label.
		204	*/
		205	#ifdef CONFIG_UNIX98_PTYS
		206	FS_USE("trans", "devpts");
		207	#endif
		208	#ifdef CONFIG_HUGETLBFS
		209	FS_USE("trans", "hugetlbfs");
		210	#endif
		211	#ifdef CONFIG_TMPFS
		212	FS_USE("trans", "tmpfs");
		213	#endif
		214	#ifdef CONFIG_DEVTMPFS
		215	FS_USE("trans", "devtmpfs");
		216	#endif
		217	#ifdef CONFIG_POSIX_MQUEUE
		218	FS_USE("trans", "mqueue");
		219	#endif
130		220
131	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");	221	#define GENFSCON(fstype, prefix) \
132	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");	222	fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
133	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");	223	fstype, prefix, mls ? ":" SYSTEMLOW : "")
134	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
135	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
136		224
137	fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");	225	/*
		226	* Filesystems whose inodes are labeled from path prefix match
		227	* relative to the filesystem root. Depending on the filesystem,
		228	* only a single label for all inodes may be supported. Here
		229	* we list the filesystem types for which per-file labeling is
		230	* supported using genfscon; any other filesystem type can also
		231	* be added by only with a single entry for all of its inodes.
		232	*/
		233	#ifdef CONFIG_PROC_FS
		234	GENFSCON("proc", "/");
		235	#endif
		236	#ifdef CONFIG_SECURITY_SELINUX
		237	GENFSCON("selinuxfs", "/");
		238	#endif
		239	#ifdef CONFIG_SYSFS
		240	GENFSCON("sysfs", "/");
		241	#endif
		242	#ifdef CONFIG_DEBUG_FS
		243	GENFSCON("debugfs", "/");
		244	#endif
		245	#ifdef CONFIG_TRACING
		246	GENFSCON("tracefs", "/");
		247	#endif
		248	#ifdef CONFIG_PSTORE
		249	GENFSCON("pstore", "/");
		250	#endif
		251	GENFSCON("cgroup", "/");
		252	GENFSCON("cgroup2", "/");
138		253
139	fclose(fout);	254	fclose(fout);
140		255
@@ -143,8 +258,8 @@ int main(int argc, char *argv[])
143	printf("Wrote policy, but cannot open %s for writing\n", ctxout);	258	printf("Wrote policy, but cannot open %s for writing\n", ctxout);
144	usage(argv[0]);	259	usage(argv[0]);
145	}	260	}
146	fprintf(fout, "/ user_u:base_r:base_t\n");	261	fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
147	fprintf(fout, "/.* user_u:base_r:base_t\n");	262	fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
148	fclose(fout);	263	fclose(fout);
149		264
150	return 0;	265	return 0;